In case that a malicious mobile app hasn't the appropriate permissions to e.g. download a file, it can invoke a browser to download sth. Concrete examples of such an attack are shown from page 27 to page 29 in Android Security Architecture. I want to make sure that my mobile application isn't susceptible to this kind of attack. Hence my question is, how do I prevent my mobile application from being abused by a malicious one to exploit the mobile user?
Thanks in advance.
The root of the confused deputy problem is an application performing a sensitive action on behalf of a malicious user.
In the context of an android application, it is possible for an application to be launched with arguments. In this case an argument would be an attack surface that could be vulnerable to any sort of input validation vulnerability, including confused deputy attacks. In short, no android app should trust this input or perform an elevated action on behalf of the caller. Doing so would be a vulnerability.
If an android application is a webview, then it could be vulnerable to XSS, CSRF. These two vulnerabilities use the browser as a confused deputy and is discussed on the confused deputy problem Wikipedia page above.
